Add CCR-2026-0006 Forgejo admin PAT OpenBao lane
Establish proposed workload-kv-read custody for the Forgejo site-admin PAT at platform/workloads/forgejo/forgejo-admin, sibling to forgejo-mailer. OIDC workstation fetch mirrors the railiance-backup-offsite pattern.
This commit is contained in:
parent
618641c984
commit
25fc47e5f2
3 changed files with 156 additions and 0 deletions
|
|
@ -0,0 +1,103 @@
|
|||
id: CCR-2026-0006
|
||||
kind: credential-change-request
|
||||
schema_version: 1
|
||||
request_type: workload-kv-read
|
||||
title: Forgejo operator/admin API token (PAT) lane
|
||||
status: proposed
|
||||
created: '2026-07-12'
|
||||
updated: '2026-07-12'
|
||||
requester:
|
||||
agent: grok
|
||||
message_id: 54125f84-e9df-4fa0-9309-7370633a20d3
|
||||
reason: Establish OpenBao custody for the Forgejo site-admin PAT currently dropped
|
||||
at /tmp/forgejo-tegwick-api-token or FORGEJO_ADMIN_TOKEN on workstations.
|
||||
Drivers include ACTIVITY-WP-0020 weekly package prune and railiance-apps /
|
||||
railiance-platform Forgejo automation tools.
|
||||
review:
|
||||
required: true
|
||||
required_approvers:
|
||||
- platform-operator
|
||||
target:
|
||||
domain: infotech
|
||||
tenant: coulomb
|
||||
workload: forgejo
|
||||
environment: production
|
||||
purpose: Forgejo admin API token for package prune, registry ops, org webhooks,
|
||||
and operator bootstrap on workstations and activity-core worker
|
||||
openbao:
|
||||
mount: platform
|
||||
kv_path: platform/workloads/forgejo/forgejo-admin
|
||||
fields:
|
||||
- API_TOKEN
|
||||
- API_USER
|
||||
- API_BASE_URL
|
||||
- TOKEN_SCOPES
|
||||
- GENERATED_AT
|
||||
policy_name: workload-kv-read-forgejo-admin
|
||||
policy_file: openbao/policies/workload-kv-read-forgejo-admin.hcl
|
||||
auth:
|
||||
method: oidc
|
||||
mount: netkingdom
|
||||
role: forgejo-admin-workload-kv-read
|
||||
allowed_redirect_uris:
|
||||
- https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback
|
||||
- http://localhost:8250/oidc/callback
|
||||
- http://127.0.0.1:8250/oidc/callback
|
||||
oidc_scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
- groups
|
||||
user_claim: sub
|
||||
groups_claim: groups
|
||||
bound_claims:
|
||||
groups:
|
||||
- net-kingdom-admins
|
||||
bound_claims_confirmed: true
|
||||
policies:
|
||||
- workload-kv-read-forgejo-admin
|
||||
ttl: 15m
|
||||
access_frontdoor:
|
||||
type: ops-warden
|
||||
catalog_id: forgejo-admin-api-token
|
||||
selector: forgejo admin PAT package prune FORGEJO_ADMIN_TOKEN
|
||||
command: warden access forgejo-admin-api-token --fetch API_TOKEN
|
||||
resolvable: false
|
||||
readiness: pending-review
|
||||
delivery:
|
||||
surface: operator-workstation
|
||||
target: railiance-platform tools/cmd/forgejo-package-prune, activity-core
|
||||
weekly-forgejo-package-prune shell resolver, and railiance-apps Forgejo tools
|
||||
(load_token pattern after lane verified)
|
||||
risk:
|
||||
classification: high
|
||||
notes:
|
||||
- API_TOKEN is a Forgejo site-admin PAT for user tegwick (coulomb Owners).
|
||||
- Grants package, repository, and admin API operations on forgejo.coulomb.social.
|
||||
- Must not be stored on production hosts or pasted into Git, State Hub, or chat.
|
||||
- ops-warden must proxy reads as the caller and must not retain values.
|
||||
- Distinct from forgejo-mailer (SMTP) and railiance-backup-offsite-lane (WebDAV).
|
||||
verification:
|
||||
positive:
|
||||
- Approved net-kingdom-admins identity can read API_TOKEN through OpenBao or
|
||||
warden access without printing values in logs or hub messages.
|
||||
- warden route find "forgejo admin pat" resolves to catalog id forgejo-admin-api-token.
|
||||
negative:
|
||||
- default-policy token denied on platform/data/workloads/forgejo/forgejo-admin.
|
||||
activation_conditions:
|
||||
- CCR approved by platform-operator.
|
||||
- Policy and OIDC role applied with platform-admin or delegated applier authority.
|
||||
- PAT minted in attended Forgejo session (tegwick → Settings → Applications)
|
||||
and stored at platform/workloads/forgejo/forgejo-admin; metadata fields optional.
|
||||
- Positive and negative verification recorded with non-secret audit references.
|
||||
- ops-warden catalog entry promoted from draft after verification.
|
||||
lifecycle:
|
||||
deactivate: Disable ops-warden catalog entry and detach OIDC role policy; revoke
|
||||
PAT in Forgejo and retire workstation file-drop path.
|
||||
rotate: Mint a new PAT in Forgejo, update API_TOKEN in OpenBao, record non-secret
|
||||
rotation evidence, and restart dependent automation after downstream consumers
|
||||
load from OpenBao.
|
||||
compromised: Revoke PAT in Forgejo immediately, deactivate front door, rotate,
|
||||
audit package/webhook changes, record blast-radius notes.
|
||||
state_hub:
|
||||
workplan_id: ACTIVITY-WP-0020
|
||||
|
|
@ -320,3 +320,43 @@ Or let `lib/railiance-backup-common.sh` load from OpenBao after login when env i
|
|||
Recovery escrow (`AGE_PRIVATE_KEY`) is stored in the same path for disaster
|
||||
recovery; prefer the password-manager copy on restore drills per
|
||||
`railiance-cluster/docs/backup-restore.md`. Fetch only in attended sessions.
|
||||
|
||||
## Forgejo admin API token lane (`CCR-2026-0006`)
|
||||
|
||||
Workstation and activity-core automation (`forgejo-package-prune`, org webhooks,
|
||||
operator bootstrap) need a Forgejo site-admin PAT. Phase 1 replaces the legacy
|
||||
workstation file `/tmp/forgejo-tegwick-api-token` and `FORGEJO_ADMIN_TOKEN` env
|
||||
drops with OpenBao custody. Sibling to `forgejo-mailer` (SMTP); no cluster ESO
|
||||
in phase 1.
|
||||
|
||||
| Item | Value |
|
||||
| --- | --- |
|
||||
| CCR | `CCR-2026-0006-forgejo-admin-api-token-lane` |
|
||||
| KV mount | `platform` |
|
||||
| OpenBao CLI path | `platform/workloads/forgejo/forgejo-admin` |
|
||||
| Fields | `API_TOKEN` (secret); optional metadata `API_USER`, `API_BASE_URL`, `TOKEN_SCOPES`, `GENERATED_AT` |
|
||||
| Read policy | `workload-kv-read-forgejo-admin` |
|
||||
| Policy file | `openbao/policies/workload-kv-read-forgejo-admin.hcl` |
|
||||
| OIDC auth mount | `netkingdom` |
|
||||
| OIDC role | `forgejo-admin-workload-kv-read` |
|
||||
| Bound claim | `groups=net-kingdom-admins` |
|
||||
| ops-warden catalog id | `forgejo-admin-api-token` (draft until front door verified) |
|
||||
|
||||
Caller login:
|
||||
|
||||
```bash
|
||||
bao login -method=oidc -path=netkingdom role=forgejo-admin-workload-kv-read
|
||||
```
|
||||
|
||||
Fetch PAT for a Forgejo API run (do not log the value):
|
||||
|
||||
```bash
|
||||
export FORGEJO_ADMIN_TOKEN=$(
|
||||
bao kv get -field=API_TOKEN platform/workloads/forgejo/forgejo-admin
|
||||
)
|
||||
```
|
||||
|
||||
PAT mint: attended session as Forgejo user `tegwick` (site admin). Minimum scopes:
|
||||
`read:package`, `write:package`, `read:repository`, `write:repository`, plus admin
|
||||
scopes required by `forgejo-operator-bootstrap`. Downstream repos update `load_token()`
|
||||
to read OpenBao when env is unset after lane verification.
|
||||
|
|
|
|||
13
openbao/policies/workload-kv-read-forgejo-admin.hcl
Normal file
13
openbao/policies/workload-kv-read-forgejo-admin.hcl
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
# Least-privilege read policy for the Forgejo operator/admin API token (PAT).
|
||||
#
|
||||
# Grants read access to the site-admin PAT used by workstation and activity-core
|
||||
# automation (package prune, org webhooks, operator bootstrap). Sibling to
|
||||
# forgejo-mailer (SMTP); no cluster ESO delivery in phase 1.
|
||||
|
||||
path "platform/data/workloads/forgejo/forgejo-admin" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
path "platform/metadata/workloads/forgejo/forgejo-admin" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue